Open SourceImportance: Low

ArubaOS SSRF flaw closed as 'theoretical' despite researcher's proof

r/pwnhubJun 11, 2026 · 4h ago

A security researcher found a way to probe internal servers on Aruba network equipment without logging in first. They submitted real evidence, but the vendor dismissed it as unproven and closed the case. The researcher is now asking the community to review the findings independently.

ArubaOS is software that manages Wi-Fi networks in businesses and schools. The vulnerability chains two attack types together: XXE lets an attacker send a crafted XML file that tricks the device into reading its own internal files, and SSRF then makes that device send requests to internal network addresses on the attacker's behalf. Doing both without any login means an outsider could map servers sitting behind a firewall.

The researcher submitted three pieces of evidence — a TCP pcap (a recording of network traffic), an SSH daemon log showing local connections, and an internal port scan result. Despite this, Aruba closed the report citing no 'valid PoC' (working exploit code). The researcher published everything publicly for independent review. Organizations running Aruba equipment should verify they are on the latest firmware and check which ports are exposed to the internet.

Key points

  • ArubaOS 8.13.2 reportedly allows unauthenticated access to internal network services via chained XXE and SSRF
  • Researcher provided network capture, SSH logs, and port scan results as evidence
  • Aruba closed the report as 'theoretical' with no valid PoC, prompting public disclosure
  • Aruba equipment users should apply the latest firmware and audit externally exposed ports
  • Case highlights transparency concerns in vendor vulnerability response processes

Quick term guide

server
A computer that stores files and shares them with other devices in your home.
logging
Keeping records of what happened in a system so it can be checked later.
software
Programs or apps that run on a computer or smartphone.
business
An activity where you provide value to others in exchange for money.
vulnerability
A flaw or weakness in software that an attacker could use to cause harm or gain unauthorized access.
firmware
The low-level software that starts up a computer's hardware before the operating system loads
prompting
Writing instructions or questions to an AI to get a response.
prompt
Text instructions you give to an AI tool.
Read original